The Baseband Apocalypse

all your baseband are belong to us

Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI.

This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.